99018e28d83e750285117cf851e9215ead49fae1ef79d25d8257301bea9cf327

Analysis

max time kernel
16s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38875eb035d758d6ed5752975bdd2cd8.pdf
Size

37KB
MD5

38875eb035d758d6ed5752975bdd2cd8
SHA1

d3753c7f67cc76e4987fcf1cf5e7fe982d96bae0
SHA256

99018e28d83e750285117cf851e9215ead49fae1ef79d25d8257301bea9cf327
SHA512

6e6218f591b25ec645c5179301860400b01cc34ec5b66e93dfe8e410da8965124c960ac6ebf1c41736e9582be4ae5e5fe27ed93705bd6bbd392881ad924893c8
SSDEEP

768:qnNd7P8mAYz9shQSyxeUQE2MQkmwzv+r4KfFzj9i3UceD+9Jv:ulYyowFzvfQFzj9Jc8+9Jv

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2900	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2900	AcroRd32.exe
2900	AcroRd32.exe
2900	AcroRd32.exe
2900	AcroRd32.exe
2900	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2720	2900	AcroRd32.exe	93
PID 2900 wrote to memory of 2720	2900	AcroRd32.exe	93
PID 2900 wrote to memory of 2720	2900	AcroRd32.exe	93
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 3520	2720	RdrCEF.exe	95
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94
PID 2720 wrote to memory of 1900	2720	RdrCEF.exe	94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\38875eb035d758d6ed5752975bdd2cd8.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0D519D169B8C0AA23235CD65076FE3CA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0D519D169B8C0AA23235CD65076FE3CA --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1900
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=93FF00184AEF1A4E246D4DB9649D3A7F --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3520
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EC88A20D35C03D4D33D759476B5092FD --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3584
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=91B45FC47BDFA4255247BE79ACEC44AF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=91B45FC47BDFA4255247BE79ACEC44AF --renderer-client-id=6 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5092
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1BC7749BCC6BDE22966665248FA7EBEF --mojo-platform-channel-handle=1912 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4312
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=68311784F81AA8F84141B1E727E879FB --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4715c56c78889da49c5a8b392a4a206b

SHA1
3cfbd34e69ea97a756a8d341bafefcde52e1755d

SHA256
b8a75d0b3c992b5df2d0f2b1e6f0b04c5b3f504803886390dd45a1a32e7a8f9c

SHA512
11b4e6ce5b55e3f416d54797f8c46d4b5e12ff498f51e19d47fa6e98eb524b4312304d59da0b116030d19c2b2d773ec2d776f059fd96999f68b4ed49aa7faf5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
c26ed30e7d5ab440480838636efc41db

SHA1
c66e0d00b56abebfb60d2fcc5cf85ad31a0d6591

SHA256
6a3c5c4a8e57f77ecc22078fbf603ecc31fb82d429bd87b7b4b9261447092aef

SHA512
96cdb78bca3e01d4513c31661987e5646e6a8ff24708918aa0d66dfa3ca5d98af4862c9f38c4f41f933c345d2d3adfb1d34d1430b33f45f916f41a9872a030df

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
1KB

MD5
d0df5f9974138501424cb06472477adf

SHA1
9d143e2c9c48327c6fa0b4f2fb65be982037db51

SHA256
6c3615c908cb98afc062e70b7f985bf7b667fd8540a25824aa07a14b6b6a05d6

SHA512
9a7d8b47a8311e00ba206fee9bf0d42991a0caaf43492ea067bb6c9eb333a3231a35bae1efcd95add82d6dbfcfef5e10d42c084b9e73c5fdd7eadf8131324617

Download Submit